Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt - PowerPoint PPT Presentation

Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 34

Oil-Vinegar Polynomials [Pa97] Let F be a (finite) field. For o , v ∈ N set n = o + v and define v v v n n � � � � � p ( x 1 , . . . , x n ) = α ij · x i · x j + β ij · x i · x j + γ i · x i + δ i =1 j = i i =1 j = v +1 i =1 � �� � � �� � � �� � linear terms v × v terms v × o terms x 1 , . . . , x v : Vinegar variables x v +1 , . . . , x n : Oil variables not fully mixed: no o × o terms v × v terms v × o terms o × o terms v terms o terms quadratic quadratic 0 linear in v linear in o δ A. Petzoldt Multivariate Cryptography PQCrypto Summer School 2 / 34

Oil-Vinegar Polynomials (2) Let ˜ p ( x 1 , . . . , x n ) be the homogeneous quadratic part of p ( x 1 , . . . , x n ) p can be written as quadratic form ˜   x 1 . .   ˜ p ( x 1 , . . . , x n ) = ( x 1 , . . . , x n ) · M ·  with .  x n   ⋆ . . . ⋆ ⋆ . . . ⋆ . . . .  . . . .  . . . .      ⋆ . . . ⋆ ⋆ . . . ⋆  v   M =   0 0 ⋆ . . . ⋆ . . .    . . . .  . . . .   . . . .   ⋆ . . . ⋆ 0 . . . 0 v A. Petzoldt Multivariate Cryptography PQCrypto Summer School 3 / 34

The Oil and Vinegar Signature Scheme - Key Generation Parameters: finite field F , integers o , v , set n = o + v central map F : F n → F o consists of o Oil-Vinegar polynomials f (1) , . . . , f ( o ) , i.e. v v v n n f ( k ) = � � � � � α ( k ) β ( k ) γ ( k ) x i + δ ( k ) ij x i x j + ij x i x j + i i =1 j =1 i =1 j = v +1 i =1 and δ ( k ) ∈ R F (1 ≤ k ≤ o ). with α ( k ) ij , β ( k ) ij , γ ( k ) i Compose F with a randomly chosen invertible affine map T : F n → F n public key : P = F ◦ T : F n → F o private key : F , T A. Petzoldt Multivariate Cryptography PQCrypto Summer School 4 / 34

Inversion of the central map Each central polynomial has the form v × v terms v × o terms o × o terms v terms o terms quadratic quadratic 0 linear in v linear in o δ A. Petzoldt Multivariate Cryptography PQCrypto Summer School 5 / 34

Inversion of the central map Each central polynomial has the form v × v terms v × o terms o × o terms v terms o terms quadratic quadratic 0 linear in v linear in o δ Choose random values for the Vinegar variables x 1 , . . . , x v v × v terms v × o terms o × o terms v terms o terms constant constant linear in o 0 linear in o δ ⇒ Linear equation in the o Oil variables A. Petzoldt Multivariate Cryptography PQCrypto Summer School 6 / 34

Inversion of the central map (2) Altogether we get o linear equations in the o variables x v +1 , . . . , x n ⇒ x v +1 , . . . , x n can be recovered by Gaussian elimination If the system has no solution, choose other values for the Vinegar variables x 1 , . . . , x v and try again. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 7 / 34

Toy Example F = GF (7) and o = v = 2 F = ( f (1) , f (2) ) with f (1) ( x ) = 2 x 2 1 + 3 x 1 x 2 + 6 x 1 x 3 + x 1 x 4 + 4 x 2 2 + 5 x 2 x 4 + 3 x 1 + 2 x 2 + 5 x 3 + x 4 + 6 , f (2) ( x ) = 3 x 2 1 + 6 x 1 x 2 + 5 x 1 x 4 + 3 x 2 2 + 5 x 2 x 3 + x 2 x 4 + 2 x 1 + 5 x 2 + 4 x 3 + 2 x 4 + 1 . Goal: Find a pre image x = ( x 1 , x 2 , x 3 , x 4 ) of w = (3 , 4) under the central map F . Choose random values for x 1 and x 2 , e.g. ( x 1 , x 2 ) = (1 , 4), and substitute them into f (1) and f (2) ⇒ ˜ f (1) ( x 3 , x 4 ) = 4 x 3 + x 4 + 4 , ˜ f (2) ( x 3 , x 4 ) = 3 x 3 + 4 x 4 f (1) = w 1 = 3, ˜ f (2) = w 2 = 4 Solve linear system ˜ ⇒ ( x 3 , x 4 ) = (1 , 2) The pre image of w is x = (1 , 4 , 1 , 2). A. Petzoldt Multivariate Cryptography PQCrypto Summer School 8 / 34

Signature Generation Given: message d 1 Use a hash function H : { 0 , 1 } ⋆ → F o to compute w = H ( d ) 2 Compute a pre-image x ∈ F n of w under the central map F ◮ Choose random values for the Vinegar variables x 1 , . . . , x v and substitute them into the central map polynomials f (1) , . . . , f ( o ) ◮ Solve the resulting linear system for the Oil variables x v +1 , . . . , x n ◮ If the system has no solution, choose other values for the Vinegar variables and try again. 3 Compute the signature z ∈ F n by z = T − 1 ( x ). A. Petzoldt Multivariate Cryptography PQCrypto Summer School 9 / 34

Signature Verification Given: message d , signature z ∈ F n 1 Compute w = H ( d ). 2 Compute w ′ = P ( z ). Accept the signature ⇔ w = w A. Petzoldt Multivariate Cryptography PQCrypto Summer School 10 / 34

The attack of Kipnis and Shamir on balanced OV [KS98] Define { x ∈ F n : x 1 = . . . = x v = 0 } O := “ Oilspace ” { x ∈ F n : x v +1 = . . . = x n = 0 } V := “ Vinegarspace ” � � ⋆ ⋆ Let E be an “OV-matrix”, i.e. E = and o ∈ O . Then we have ⋆ 0 E · o ∈ V or E · O ⊂ V . Analogously, we get E − 1 · V ⊂ O . For two OV matrices E and F we therefore get ( F − 1 · E ) · O ⊂ O , i.e. O is an invariant subspace of the matrix F − 1 · E . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 11 / 34

OV Attack (2) Let G i be the matrix representing the homogeneous quadratic part of the i -th public polynomial. Then we have G i = T T · E i · T , with E being an OV-matrix and T being the matrix representing T . Let o ∈ O and v = T − 1 ( o ). We therefore get ( T − 1 · E − 1 · ( T T ) − 1 · T T · E i · T ) · T − 1 ( o ) ( G − 1 G i ) · v = j j T − 1 · E − 1 · E i · o ∈ T − 1 ( O ) , = j i.e. T − 1 ( O ) is an invariant subspace of the matrix ( G − 1 · G i ). j A. Petzoldt Multivariate Cryptography PQCrypto Summer School 12 / 34

OV Attack (3) 1 Choose an index j ∈ { 1 , . . . , o } such that G j is invertible and compute G − 1 · G i j 2 Compute the inverant subspaces of G − 1 · G i j ⇒ Separation of Oil and Vinegar Variables ⇒ Find equivalent affine transformation T ⇒ Find equivalent central map F by F = P ◦ T − 1 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 13 / 34

OV Attack - Summary The attack breaks the balanced OV scheme in polynomial time. The attack works also for v < o For v > o the complexity of the attack is about q v − o · o 4 . ⇒ Choose v ≈ 2 · o (unbalanced Oil and Vinegar (UOV)) [KP99] A. Petzoldt Multivariate Cryptography PQCrypto Summer School 14 / 34

Other Attacks Collision Attack : To prevent collision attacks against the hash seclev function, one needs o ≥ Log 2 ( q ) . Direct Attack : Try to solve the public equation P ( z ) = w as an instance of the MQ-Problem ⇒ public systems of UOV behave much like random systems However: The public systems of UOV are highly underdetermined ( n = 3 · m ) Result [Thomae]: A multivariate system of m equations in n = ω · m variables can be solved in the same time as a determined system of m − ⌊ ω ⌋ + 1 equations. ⇒ m has to be increased by 2. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 15 / 34

Other Attacks (2) UOV-Reconciliation attack : Try to find a linear transformation T which transforms the public matrices G i into the form of UOV matrices � � ⋆ ⋆ ( T T ) − 1 · G i · T − 1 = ⋆ 0 ⇒ Each Zero-term yields a quadratic equation in the elements of T . ⇒ T can be recovered by solving several systems of multivariate quadratic equations A. Petzoldt Multivariate Cryptography PQCrypto Summer School 16 / 34

Parameters security public key private key hash size signature level (bit) scheme size (kB) size (kB) (bit) (bit) UOV(GF(16),40,80) 144.2 135.2 160 480 80 UOV(GF(256),27,54) 89.8 86.2 216 648 UOV(GF(16),50,100) 280.2 260.1 200 600 100 UOV(GF(256), 34,68) 177.8 168.3 272 816 UOV(GF(16),64,128) 585.1 538.1 256 768 128 UOV(GF(256),45,90) 409.4 381.8 360 1,080 UOV(GF(16),96,192) 1,964.3 1,786.7 384 1,152 192 UOV(GF(256),69,138) 1,464.6 1,344.0 552 1,656 UOV(GF(16),128,256) 4,644.1 4,200.3 512 1,536 256 UOV(GF(256),93,186) 3,572.9 3,252.2 744 2,232 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 17 / 34

UOV - Summary unbroken since 1999 ⇒ high confidence in security not the fastest multivariate scheme very large key sizes (comparably) large signatures ⇒ Can we do better? A. Petzoldt Multivariate Cryptography PQCrypto Summer School 18 / 34

The Rainbow Signature Scheme proposed in 2005 by J. Ding and D. Schmidt [DS05] multi layer version of UOV reduces number of variables in the public key ⇒ better performance ⇒ smaller key sizes ⇒ smaller signatures A. Petzoldt Multivariate Cryptography PQCrypto Summer School 19 / 34